Diagnostic instructions when the Scheduler External Security is not working
search cancel

Diagnostic instructions when the Scheduler External Security is not working

book

Article ID: 64979

calendar_today

Updated On:

Products

Scheduler Job Management

Issue/Introduction

Scheduler external security (option SECURITY=EXTERNAL) is not working.  How to diagnose and correct the issue? 


Resolution

Security issues normally fall into two categories: either users can access resources to which they do not have access, or users cannot access resources to which they do.

The procedure to diagnose the problem is the same for both cases.

Start by displaying the Scheduler options.

   // EXEC CAJUTIL0
   //SYSIN DD *
   REPORT OPTIONS
   //

Find the setting for option SECURITY.  SECURITY=EXTERNAL is recommended.

Scheduler commands are placed in two groups: database commands and tracking commands. Database commands interact with the workload definitions and include commands such as DEFINE, ALTER, DELETE, FORECAST, SYNCHK, and ANALYZE. Tracking commands interact with the current workload (today's jobs) and include RUN, CANCEL, RERUN, PURGE, and POST.

In the REPORT OPTIONS output, locate the CAIJ$SEC security options. Make sure the DBASE and TRACK option are set to YES.

If the problem has not been resolved, turn on a Scheduler trace to determine what security calls are being made. Use the following job step to turn on the trace:

   // EXEC CAJUTIL0
   //SYSIN DD *
   CAISUPT SET=2
   //

With this trace activated, every security call will generate WTO (write to operator) messages explaining the type of security call and the response from the security product.

For example, selecting a schedule called PAYROLL from online would generate these messages:

CAJSMSG0 (userid ) FUNC=RESCHECK CLS=CACMD
FLGS=00 ATTR=*BLANK ENTY=CHDSPSBR
CAJSMSG0(userid ) RC=00 DRC=00 RACC=00
AACC=00 FLGS=00
CAJSMSG0 (userid ) FUNC=RESCHECK CLS=SCHEDULE
FLGS=00 ATTR=READ ENTY=PAYROLL
CAJSMSG0 (userid ) SAFC RC=00 DRC=00 RACC=00
AACC=00 FLGS=00

The trace shows two resource checks (RESCHECK) made for this display. The first is for the resource class (CLS=) CACMD and entity (ENTY=) CHDSPSBR to determine if the user (userid) has authority to display schedules. The second resource check determines if the user has authority to view (ATTR=READ) the schedule (CLS=SCHEDULE) called PAYROLL (ENTY=PAYROLL).

In both cases, the "RC=00" means that the security product indicated the user has access to the specified resource. A return code of 8 or greater would deny access.

You can use this trace to determine if 1) Scheduler is making the security call, and 2) if Scheduler is honoring the security product's decision.

To turn off the trace, use the following job step:

   // EXEC CAJUTIL0
   //SYSIN DD *
   CAISUPT RESET=2
   //

Powered by Wolken Software